Archived source #258 — Azure / Azure Machine Learning [original]

Azure Machine Learning SSRF

Published Mon, Jun 17th, 2024

Platforms

azure

Summary

Certain API endpoints on ml.azure.com and ai.azure.com used for adding/viewing data connections could be leveraged for server side request forgeries (SSRF). While they do have protections to restrict making requests to internal hosts, it was possible to circumvent those protections using a 301 or 302 redirect response which points to a sensitive host.

Affected Services

Azure Machine Learning

Remediation

None required.

Tracked CVEs

No tracked CVEs

References

https://www.microsoft.com/en-us/msrc/blog/2024/06/mitigating-ssrf-vulnerabilities-impacting-azure-machine-learninghttps://www.tenable.com/security/research/tra-2024-22

Entry Status

Stub

Disclosure Date

-

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Tenable, Wiz

More vulnerabilities...

high

GitHub Copilot Chat Vulnerable to Data Exfiltration

github

GitHub Copilot Chat VS Code Extension was vulnerable to data exfiltration via prompt injection when analyzing untrusted source code. The vulnerability allowed attackers to access previous conversat...

wunderwuzzi, Embrace The Red
medium

Issue with Amazon EC2 VM Import Export Service

aws

AWS addressed an issue with the Amazon EC2 VM Import Export Service where importing Windows VMs with custom Sysprep answer files resulted in an unprotected backup copy being created, potentially ex...

Immersive Labs
high

Issue with AWS Deployment Framework

aws

CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The ...

Xidian University
View all